Cyber espionage attack against Israel is not an isolated event

Once again Middle East area is the scene of a series of cyber attacks, several malware attacks have hit over the last year Israeli and Palestinian systems apparently having a common origin. A group of experts from Norwegian antivirus and security firm Norman ASA have discovered a new cyber espionage campaign against the countries that used various malware to spy on victims.

Cyber espionage is one of privileged form of intelligence of the last years, the use of technological instruments to steal sensible information and industrial secrets is widespread.

Let’s step back returning to the previous October when a cyber attack hit Israeli institutions and law enforcement forcing the government to shut down Internet access for its police and prohibiting the use of memory sticks and mobile storage to avoid the diffusion of malicious agent.

As usual the cyber espionage campaign was driven by a spamming activity of malicious emails that claim to be sent Benny Gantz, Chief of General Staff of the Israel Defense Forces, and reporting in the subject the news of an IDF strike against opponents in Gaza Strip. The message text anticipates the content of the attached .zip file that claims to contain reports and photos of the attack. According Trend Micro firm the initial target of that attack was the Israeli Customs agency.

In fact the file attached to the email hides a known malware, the XtremeRat trojan, which was largely used in surveillance campaigns by many regime such as Syrian government. Xtreme Rat is a malware that belong to the Remote Access Tool category really simple to retrieve on line at a low price (Full version Price: €100 EUR). The malware is continuosly improved, last version is Windows 8 compatible and has included new powerful capabilities to audio and video capture and for password stealing from common browsers.

Once again the malware was signed to fool victims into believing that its source code came from a trusted source, in this case the code has been signed with a Microsoft certified. Installation for certain types of software could needs that its code is digitally signed with a trusted certificate, by stealing the certificate of a trusted vendor reduces the possibility that the malicious software being detected as quickly. That is exactly what happend for Stuxnet virus.

Fagerland revealed that they have found that oldest malware signed with the same Microsoft certificate and dated October 2011, after eight months from this attacks a new wave of malicious code signed with same certificate hit Israeli targets.

The experts of Norman analyzing the tool have tried to discover the source of the attack but unfortunatelly the retrieved info doesn’t give any valuable information, let’s remind that the attacks could be started form any region of the globe from a compromised system.

“What is behind these IP addresses is hard to establish. It is possible they are hacked boxes and as such do not give much valid information. If that were the case, one might have expected a greater IP range and geographical distribution, but nothing is certain,”.

“In the following investigation we first found several other trojans similarly signed, then many more trojans connecting to the same command & control structure as the first batch.”. “The Command & Control structure is centered around a few dynamic DNS (DynDNS) domains that at the time of writing point to hosting services in the US.”

Snorre Fagerland, a senior virus researcher at Norman, declared in an interview with KrebsOnSecurity blog :

“These malwares are set up to use the same framework, talk to same control servers, and have same spoofed digital certificate,“In my view, they are same attackers.”

As always in these cases one thousand fanciful hypotheses circulating on the network without foundation, some argue that this is an Iranian offensive, others that it may be an US operation or conducted by an European government in search of information.

KrebsOnSecurity blog proposed results of researches made analyzing the metadata included in most of the email bait files. The files, typically Microsof Word documents, have been created and saved by a limited number of users named “Hitham,” “Tohan,” Aert,” and “Ayman.” Searching on hacker forums popular in the Middle East it is possible to find several accounts using these nicknames at a forum called Gaza-Hacker.net. KrebsOnSecurity states:

“The profiles of both Hitham (pictured below) and Aert suggest they are young men from Algeria. Hitham’s signature suggests he is a member of a group calling itself the Gaza Hackers Team, which claimed responsibility for defacing Israeli government sites earlier this year with messages calling for “Death to Israel.”

Personally I don’t believe that the attacks are related to Chinese hackers, despite the attack techniques appear similar, in this case hackers have used common malware that doesn’t requested particular knowledge differently from what’s happened for Operation Aurora and the Elderwood project.

I think that the hypothesis proposed by KrebOnSecurity are very likely.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.